Just for the heck of it, hit [shift+F5], and then attempt to log on again.

Double click on the text box that says "Or, you can manually enter your OpenID", and select your provider, then press "Log in". (only works if you save form information)

You will note that you get logged in again, without having to give the username:password. I'm not sure if the problem is a bug with stackexchange, OpenId or my OpenID provider, but it's clearly a bug.

I'm a little fuzzy on what exactly HTML5 storage is, but I think it's different than DOM storage. However, from reading questions 73702 i would assume that the log out everywhere button should be clearing this. Am I understanding the implementation wrong here?

might be related to questions 70908. I am running NoScript, because I don't surf without protection. Let me try a few tests.
–
OpenID-test1May 23 '11 at 2:33

Not related to questions 70908. I tested this by closing firefox, running $ nohup firefox -ProfileManager & and then creating a brand new profile. I wasn't able to discard my cookies and I didn't erase my "flash cookies" and DOM storage, but the issue should be with the HTML5 storage if I'm understanding the process correctly.
–
OpenID-test1May 23 '11 at 2:44

3 Answers
3

The problem seems to be the OpenID provider. I've created a second disposable OpenID using a yahoo email address. Using a clean, freshly created Firefox profile I can log in to the new account and then press that somewhat hidden logout button, press the second log out everywhere button and then go into my Firefox prefs and delete all my cookies and that will truly log me out.

I have no clue why I need to flush my cookies though. Shouldn't StackExchange edit my cookies to move the expiration date into the past when I logout??

Edited to add: Ah, all I need to do is

hover, click on hidden logout

press the log out everywhere button

Go into my browser and kill all five of the cookies that Yahoo! gives me. I don't need to touch the StackExchange cookies at all.

Now I could post a legitimate question that asks, "Which OpenID provider will, when I log into them for 3rd party verification, let me log in, approve my credentials, and then log me out without me having to visit them or play with cookies?"

Instead of fushing yahoo cookies, I can open yahoo in a new tab and log out there anytime after I've used them for 3rd party verification and that will work too. I would guess there would be zero incentive for the big OpenID providers like Yahoo, Facebook, and Google to log you out automatically immediately after using them for 3rd party verification even if doing so is counter-intuitive and dangerous on a shared computer. IMHO, this is a serious flaw for current OpenID implementations.
–
OpenID-test2May 23 '11 at 3:57

If you "logout everywhere" we destroy your session on the site (so the cookie is no good anymore, even if some other browser instance holds it) and clear global login credentials (which are in local storage).

We can't affect any OpenID providers login state, because we don't control (which is most of the point of OpenID) so naturally you'll remain logged into Yahoo, Google, or whomever you're using. Thus it is impossible for any of our logout buttons to get you back to a "must enter username & password" state, by design.

Yea, you are not getting the original question. Let's say I use my yahoo OpenID to answer a superuser.com question. Then my coworker wants to log into his account. If I don't also logout from yahoo, my coworker can't log in using his yahoo account. If he tries, he just logs into my account, and without entering my password. ---- I would recommend a line near the _log out everywhere_ button that says something like "We also recommend you log out of your openID provider, we can not do that for you, sorry" --- The original wonky behavioral was due to a non maintained OpenID script
–
OpenID-test2May 23 '11 at 19:39

The logout button does log you out of Stack Exchange. That's why, when you go to the login page, you have to enter in your OpenID. At this point, SE asks the OpenID provider, is this person who he/she says he is?

Your OpenID provider is confirming this without making you login for some reason, which is really weird, because if you deleted all your cookies, they should have no idea who you are (unless you're deleting only your SE cookies). I would probably attribute this to your browser not clearing your cookies properly, since your OpenID provider probably doesn't confirm everyone's identity without checking it.

please clarify "unless you're deleting only your browser cookies". I was deleting my "flash cookies" too, during the inital test. After creating the new firefox profile without NoScript, i did not clear my flash cookies, but SE uses the HTML5 storage, not Flash.
–
OpenID-test1May 23 '11 at 2:49

It might be my OpenID provider. I will create a new disposable OpenID with a different provider to test.
–
OpenID-test1May 23 '11 at 2:50